The University of Texas at Tyler
Tyler   •   Longview   •   Palestine
A centerpiece for learning,
culture and natural beauty

Data Classification

UT Tyler Office of Information Security

Purpose:

The purpose of this section is to establish a classification scheme for official data and information maintained by the University of Texas at Tyler and to establish responsibilities for its protection from unauthorized release or modification. To that end, this section assigns responsibilities for the control and stewardship of such data.

Scope:

The data classification program pertains to stewardship of all data assets at UT Tyler, whether digitized/electronic, in paper form, or spoken. It is directed toward the classification and subsequent protection of information used in the conduct of official business and the representation of data is irrelevant to the requirement to classify and protect it.

Authority:

Federal laws such as the Family Educational Rights and Privacy Act (FERPA), the Privacy Protection Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Intellectual Property Act, the Gramm-Leach-Bliley Act and the Freedom of Information Act require oversight and protection of specific types of data. This program outlines the university recommended procedure to classify and protect data in accordance with applicable Federal and State requirements.

Roles:

The Department of Information Resources’ Texas Administrative Code 202 (TAC 202) requires that owners, custodians, and users of information resources be identified, and their responsibilities defined and documented by the state agency. In cases where information resources are used by more than one major business function, the owners shall reach consensus and advise the information security function as to the designated owner with responsibility for the information resources. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:

Owner Responsibilities:

 The owner or his or her designated representatives(s) are responsible for and authorized to:

  • Approve access and formally assign custody of an information resources asset;
  • Determine the asset's value;
  • Specify data control requirements and convey them to users and custodians;
  • Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure;
  • Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data;
  • Ensure compliance with applicable controls;
  • Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures;
  • Identify an Information Security Administrator (ISA) for the system that contains the data for which they are responsible for;
  • Review access lists based on documented security risk management decisions;

Examples of data owners:

  • Supervisors in Offices of the Registrar, Financial Aid, Admissions, Student Business Services, Advancement;
  • Deans of the Colleges;

Custodian responsibilities:

Custodians of information resources, including entities providing outsourced information resources services to state agencies must:

  • Implement the controls specified by the owner(s);
  • Provide physical and procedural safeguards for the information resources;
  • Assist owners in evaluating the cost-effectiveness of controls and monitoring;
  • Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents;

Examples of custodians:

  • Centralized & decentralized server administrators who maintain server operating system, servers applications, or perform and maintain backups of systems;

Information Security Administrator (ISA) responsibilities:

The ISA is responsible for maintaining the security of the operating system, application and the data housed on the system, as well as assigning security approved by data owners. The ISA must:

  • Test and apply operating system updates and patches, defined as critical in nature, expediently;
  • Test and apply application patches, defined as critical in nature, expediently;
  • When possible, install antivirus software and configure daily updates of virus definitions;
  • Remove services which are not necessary;
  • Only make changes to application security upon formal request from data owner;
  • Report all incidents to Information Security Office;

User responsibilities:

Users of information resources shall use the resources only for defined purposes and comply with established controls.

Examples of users:

  • Faculty members
  • Database administrator
  • Administrative assistants
  • Student workers
  • Cashiers

Data Classification Categories:

The University of Texas at Tyler classifies its official university data into three categories – Category I, Category II, and Category III as described in this section.

Classifying Data.

The primary consideration in classifying data is damage that would accrue to UT Tyler should the data be inadvertently released to unauthorized parties through any means. Loss of Category I data would do significant harm to the University. Significant harm must include any data whose protection is mandated by Federal or State law or data that would cause irreparable harm to the University or its reputation (e.g., compromise of donor financial holdings or data that would result in a negative image for the University). Loss of Category I data would delay or prevent UT Tyler from fulfilling its mission. Loss of Category II data would result in less substantial harm and its protection is not mandated by law. Category II data may require the same or similar protections as Category I data, but its loss or compromise is not deemed unmanageable (e.g., individual student test scores). Category III data is public and requires no protection.

General Examples.

Data classification authorities will use the criteria outlined below to decide which classification their data fall under. Classification depends on several factors combined with management judgment.

To assist in deciding on the appropriate classification, general examples are given below. These are not intended to be comprehensive or definitive. The actual end classification determination is a management decision based on data sensitivity and harm done if the data is inappropriately released or compromised. The University of Texas at Austin’s Data Classification Standard is the source of the specific examples provided.

Category I data:

University data protected specifically by federal or state law or University of Texas at Tyler rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.).

Specific examples of Category I data include (but not limited to) the following:

  • Patient Medical/Health Information (HIPPA). The following information is confidential:
    • Social Security number
    • Patient names, street address, city, county, zip code, telephone / fax numbers
    • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
    • Personal vehicle information
    • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
    • Access device numbers (building access code, etc.)
    • Biometric identifiers and full face images
    • Any other unique identifying number, characteristic, or code
    • Payment Guarantor's information
  • Student Records (FERPA).  The following information is confidential:
    • Social Security number
    • Grades (including test scores, assignments, and class grades)
    • Student financials, credit cards, bank accounts, wire transfers, payment history, financial aid/grants, student bills
    • Access device numbers (building access code, etc.)
    • Biometric identifiers
  • Donor/Alumni Information (UT System Policy, Texas Identity Theft Enforcement and Protection Act, HIPPA). The following information is confidential: 
    • Social Security number
    • Name
    • Personal financial information
    • Family information
    • Medical information
    • Credit card numbers, bank account numbers, amount / what donated
    • Telephone/fax numbers, email URLs
  • Research Information (Granting Agency Agreements, Other IRB Governance). The following information is confidential:
    • Human subject information
    • Sensitive digital research data
  • Employee Information (UT System Policy, Texas Identity Theft Enforcement and Protection Act). The following information is confidential:
    • Social Security number
    • Personal financial information, including non-UT Tyler income level and sources
    • Insurance benefit information
    • Access device numbers (building access code, etc.)
    • Biometric identifiers
    • Family information, home address, and home phone number may be revealed unless restricted by the employee.
  • Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure Agreement). The following information is confidential:
    • Vendor social security number
    • Credit card information
    • Contract information (between UT Austin and a third party)
    • Access device numbers (ISO number, building access code, etc.)
    • Biometric identifiers
    • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Other Institutional Data (Gramm-Leach-Bliley Act, Other). The following information is confidential:
    • Information pertaining to the Office of Institutional Relations and Legal Affairs
    • Financial records
    • Contracts
    • Physical plant detail
    • Credit card numbers
    • Certain management information
    • Critical infrastructure detail
    • User account passwords

Category II data:

University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Specific examples of Category II data include (but not limited to) the following:

  • The calendar for a university official or employee
  • The emails of a university official or employee containing sensitive information
  • Date of birth, place of birth of students or employees
  • Internal audit data
  • Student evaluations of a specific faculty member
  • Human subjects research data with no personal identifying information
  • Specific library data including patron's names, what book was check out, date of check-out, etc.

Category III data:

University data not otherwise identified as Category-I or Category-II data (e.g., publicly available).

Specific examples of Category III data include (but not limited to) the following:

  • Departmental Web site
  • Blogs
  • Library holdings
  • Public phone directory
  • Course catalog and curriculum information
  • General benefits information
  • Enrollment figures
  • Publicized research findings
  • State budget
  • All public information

Responsibility for Data Classification:

Texas Administrative Code 202.21

“The owner of an information resource, with the state agency head's or his or her designated representative's(s') concurrence, is responsible for classifying business functional information.”

The University of Texas at Tyler’s Information Security Office, upon request, will assist data owners in classifying the data for which they are responsible.

Data protection measures:

Data classified in Category I, II, or III as defined above or as classified by the appropriate UT Tyler data owner will be protected by data users/custodians/ISAs as outlined in the table below. It is important in implementing data protection measures to keep in mind that loss of Category I data is more severe than loss of Category II data and may require a higher level of vigilance. Additionally, the below is not intended to be an all encompassing list – it should serve as a starting point and as an example of good protection practices.

 

Data Protection Category Description Cat I Cat II & III
Backups System administrators should establish and follow a procedure to carry out regular system backups. Required Recommended
  Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. Required Recommended
       
Change Management There must be a documented change management process. Required Recommended
  System changes should be evaluated prior to being applied in a production environment.
  • If a test environment is available, patches must be tested prior to installation in the production environment
Required Recommended
       
Virus Protection Anti-virus software must be installed and enabled if available for operating system Required Required
  Anti-virus software should be configured to update signatures daily. Required Required
       
Physical Access Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended. Required Recommended
  Backup media must be secured from unauthorized physical access. Required Recommended
       
System Hardening Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured. Required Recommended
    Operating system and application services security patches should be installed expediently and in a manner consistent with documented change management procedures. Required Recommended
  If automatic notification of new patches is available, that option should be enabled. Required Recommended
  Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. Required Recommended
  Services or applications running on systems manipulating Category-I data should implement encrypted communications. Required Recommended
  Logon banners must be present on systems. Required Recommended
  Access to non-public file system areas must require authentication. Required Recommended
  Strong password requirements will be enabled, as technology permits, based on the category of data the account is allowed to access Required Recommended
  Apply the principle of least privilege to user, administrator, and system accounts. Required Recommended
       
Security Monitoring If the operating system comes with a means to log activity, enabling and testing of those controls is required. Required Recommended
  Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. Required Recommended
©